Researchers say they have found a flaw in Bluetooth communication that leaves many iOS and Microsoft devices open to being tracked. The researchers also warn that the flaw can leak a user's ID.
Devices that are susceptible to hacking include iOS devices such as iPads and Apple watches, Microsoft products like surface tablets and laptops and FitBits.
“Basically everybody is carrying around a Bluetooth device nowadays in some way, shape or form and that makes it very relevant,” said Johannes Becker, graduate researcher from Boston University.
Devices send out custom addresses that make them susceptible to tracking
When two Bluetooth devices pair up with each other, one device acts as the primary connection, while the other end plays a tertiary role. This tertiary device, such as a speaker or wireless earphones, send out a signal similar to an IP address that contains personal data about the connection.
Technically, this connection is supposed to be an address that can reconfigure itself to protect the identity of the users. However, if hackers were to use a “sniffer program,” a piece of public software that can scan for Bluetooth connections in a nearby area, it could find and identify devices even after the addresses have been reconfigured. (Related: STUPID TECH on parade as company releases Bluetooth-connected salt shaker controlled by Amazon Alexa... is this really necessary?)
The sniffer program uses an algorithm that the researchers have developed known as an address-carryover algorithm. This can exploit “the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device,” wrote the researchers in their paper.
“The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.”
The unencrypted data comes from “advertising events” that devices send out. These events contain custom data structures that help Windows, iOS and macOS devices interact with other devices within their Bluetooth range. The events can also be used to uniquely identify devices.
The combination of unencrypted data being transmitted regularly and containing personal information means that hackers won't even need to use illegal software to obtain a person's information.
Smart devices are even more vulnerable to tracking
Becker and his research partners David Starobinski and David Li found that Android devices aren't susceptible to this vulnerability because they have a different way of communicating with their tertiary Bluetooth partners. Android devices scan for custom addresses that they can connect to instead of constantly advertising themselves like the way iOS, Microsoft and other smart devices do.
Li, in a statement, remarked that they were surprised at how vulnerable FitBit devices were. He said that restarting the device or draining its battery didn't change the FitBit's custom address, which they say was completely unexpected.
People with devices that may be vulnerable, for comparison, could simply turn their Bluetooth off when they aren't using it, and turn it back on when necessary. This gives the device a new, randomized address. Unfortunately, this doesn't apply to smart devices like FitBit and SmartPen, which neither update nor hide their custom addresses.
The researchers fear that hackers who can figure out how to access the permanent addresses on FitBits, SmartPens and other smart devices could use their knowledge to stalk, spy and abuse innocent people.
For more articles about products that can potentially invade people's privacy, check out the articles at PrivacyWatch.news.
Sources include:
PETSymposium.org [PDF]
Please contact us for more information.